The setup

A Network Attached Storage (NAS) is a dedicated device that you store files. The specific model I got from Synology comes a simple linux distribution. It has its own Package Centre with software that is  integrated with its operating system as well as a Docker runtime. I got it as a new learning toy to tinker with. The goal is to setup some simple home media services for file sharing and media playback on my family's devices.

Things I am doing on my NAS

The NAS isn't intended to deGoogle my life or to replace existing software subscriptions; it is to provide an additional local backup and transfer media files off my laptop.

These are the simple goals of what I aim to achieve

• simple media server to stream some content
• timemachine backup for my mac over the network
• fast and huge storage for files

To that end, I only have a few services running on the device

• a native package that replicate some directories to my Google Drive
• a media server running on docker - jellyfin
• a VPN that requires minimal configuration and maintenance, so I can access my files and content outside of my home network - tailscale

What I did to harden my NAS

Here is a list of basic security measures you should do on all services, which I did on my NAS

• disabled the default admin account
• enabled multi-factor authentication for all admin accounts
• created a non-admin account for myself and service accounts for automated tasks

Port forwarding?

I do not have a strong requirement for any of my services to HAVE to connect to the internet. So, I did not configure any port forwarding or DynamicDNS services at my home router. This alone closes a huge gap since the home network requires no new configuration. The media server and SMB shares all happens within the home network*.

Tailscale VPN

Ok I lied a little. I am running the NAS as a node on my VPN's mesh network so I could have access to it over the internet when I am not home. It uses NAT traversal techniques to avoid port forwarding requirements. Under the hood, it uses Wireguard.

• for more information: https://tailscale.com/blog/how-tailscale-works

Synology DSM Security Advisor

The operating system for my NAS includes a packaged called Security Advisor. It runs through your configuration and checks for any insecure defaults. But I don't think this is enough and you should always do your own study.

Restricted access

Now that you understand my setup, the first step is to restrict access to the NAS to just a few entry points

• the media server on docker - via the local network
• SMB shares - via the local network
• all other activities over the VPN can be managed via TailScale's Access Control List (ACL) rules
• everything else is denied

And so that's it. That's all of the hardening I did on my NAS so far.

Learning points

One surprising lesson was discovering how simple Software Defined Networking can be. By moving my entire personal network onto TailScale and controlling their connection and access via ACL rules, I no longer have to fiddle with dynamically changing IP addresses.

If I want access to a development build of an application on my macbook from my phone, its as simple as

• enabling that port on the ACL rules
• opening the domain name of my mac on my phone (yes, TailScale allows you to give a domain name to each of your devices with very minimal configuration)

If I want to SSH from my iPad into my macbook, I no longer have to look up the IP address of my macbook, ensure that they are both on the same network before connecting. Now, I simply place them both on TailScale, enter my macbook's domain, enable the ACL to connect to my macbook's SSH port and voila, it works every time after configuring!

More info about TailScale

• https://tailscale.com/why-tailscale
• https://tailscale.com/learn/understanding-mesh-vpns
• https://tailscale.com/blog/how-tailscale-works
• https://tailscale.com/blog/how-nat-traversal-works

Fin

This project was not about reinventing my digital ecosystem but enhancing it with efficient backup solutions and media storage strategies. Setting up the Synology NAS was a practical step, aimed at improving my home's media storage and backup efficiency. It also offered me a humble, yet enlightening, introduction to the complexities of network security and the management of Software Defined Networking.